Notes on Security in 2019

Editor’s Note: These notes — as well as information posted from the FS-ISAC newsletter (permitted to be distributed without restriction) — were shared by operating partner (and former Chief Security Officer at Box) Joel de la Garza internally. They’ve both been reposted below as a resource for those interested in the topics.

Some of my quick thoughts on security trends this year

‘Passwordless auth’ becomes (even more) real

With the accelerating adoption of the WebAuthN standard and support for U2F showing up in Safari, it’s highly likely that a large consumer websites will adopt a “passwordless auth” experience for users.

Discussions with industry peers indicate that major entertainment companies and others are considering limited tests of the technology to help reduce friction and the number of customer support calls for password issues.

Cloud configuration overtakes ‘phishing’ as top source of breached data

When the numbers are finally crunched for 2018 it’s likely that mis-configured cloud services will overtake phishing attacks as the number one source of breached personal records.

There have been a number of large breaches in the last year resulting from cloud service configuration errors — and there aren’t indications that this trend is changing.

‘New Cold War’ goes… warm, online

With a number of analysts claiming we have entered into a ‘New Cold War’ with China, and possibly Russia, early indications seem to be that that war will escalate online. In the past year, a number of previously dormant Chinese hacking groups have sprung back to life along with several high-profile Russian groups.

These groups appear to be refining their operational security practices and looking to better mask attribution of their attacks. Critical infrastructure operators have been reporting an increase in activity that usually presages a larger campaign. There have also been some concerns raised about another attack similar to the attack on the PG&E substation in San Jose in 2013. Law enforcement sources have indicated that potential reconnaissance operations have been conducted recently by nation-state agents.

Other notes on security released by various industry sources (via Financial Services – Information Sharing and Analysis Center)

The security industry has consistently discovered highly sophisticated government-sponsored operations that took years of preparation. What seems to be a logical reaction to that situation from an attacker’s perspective would be exploring new, even more sophisticated techniques that are much more difficult to discover and to attribute to specific actors.

Networking hardware and IOT

Massive botnet-style attacks may affect IoT devices and critical infrastructure. Network hardware vulnerabilities could lead to a massive botnet-style compromise.

Public retaliation

High-profile attacks, on the geopolitical stage, may be used to exploit the fear of uncertainty — giving rise to increased false flag incidents.

Emergence of newcomers

The APT world seems to be breaking into two groups: the traditional well-resourced most advanced actors (that we predict will vanish) and a group of energetic newcomers who want to get in on the game. (South East Asia and the Middle East are regions where such groups are becoming more prevalent.)

The negative rings

Citing Meltdown and Spectre as examples, expect an increase in the development and exploitation of lower level malware. Hypervisor and UEFI malware will continue to see growth.

Your favorite infection vector

Listed as “the most successful infection vector ever”, spear-phishing is expected to play a bigger role going forward. The key to its success remains its ability to spark the curiosity of the victim, and recent massive leaks of data from various social media platforms might help attackers improve this approach.

Destructive destroyer

Destructive attacks have several advantages for attackers, especially in terms of creating a diversion and cleaning up any logs or evidence after the attack. Citing Olympic destroyer as evidence of their effectiveness, we expect to see more occurring, especially in retaliation to political decisions.

Advanced supply chain

Supply chain attacks are an effective infection vector that we will continue to see. In terms of hardware implants we believe it is extremely unlikely to happen and if it does, we will probably never know.

And mobile

It goes without saying that all actors have mobile components in their campaigns; it makes no sense only going for PCs. The reality is that we can find many examples of artifacts for Android, but also a few improvements in terms of attacking iOS.

Without a deterrent, attackers are going to keep targeting networks and getting through

Staffing, cloud, and consolidation

A lot of innovation in 2019 is going to deal with consolidation

Intelligence declassified

…remain skeptical about what you read, especially on the internet

The supply chain can offer attackers access to multiple high value targets so that they can capture a wide range of information. Plus, if the threat actor is targeting deep enough in the supply chain, there’s a good chance that they can operate unnoticed.

A view from the clouds

There have been a lot of cloud-related challenges throughout 2018 and we expect to see those continue and evolve as we move into 2019.

First, a lot of data is moving to the cloud and the attackers are going right along with it. We’re seeing a massive uptick in the number of incidents that involve cloud, and that’s really just attackers following the data. It’s not really about cloud being more or less secure.

Really, the question you should be asking is: Do you have visibility for the things that are going on in the cloud, and are you able to set up your security operations center (SOC) to be able to respond to something that happens?

Iranian cyber threat activity against U.S. entities likely to increase following U.S. exit from JCPOA, may include disruptive or destructive attacks

Cyber norms unlikely to constrain nation-state cyber operations in the near future

Publicly available malware usage by FIN and APT groups

Abuse of legitimate services for command and control

On assignment with FireEye Mandiant

Expect to see a spike in financial threat actors targeting e-commerce websites and gift cards

Russian targeting broadens, while emerging nations scramble to keep up

Continued shift from point of sale to e-commerce environments

Online banking portals in the crosshairs of attackers

Target: supply chain

Under the lens of FireEye Labs

Social engineering is the most commonly used attacker technique because it works

As the threat landscape evolves, so does security

Business email compromise leveraged in targeted attacks

Use of emerging technologies to evade detection

Other evasive maneuvers

Global Insights: APAC

The impact of skilled individual attackers and nation-state actors with skills but insufficient resources will be felt more strongly by organizations that have failed to keep up with security developments

Sights on the 2020 Olympics in Tokyo

Threat evolution

Global Insights: EMEA

With attribution, cyber criminal activities will hopefully become harder to execute in the long run, and this could bring deterrence

The dark side of social media

Lack of resources introduces risk

The fight begins with attribution

Critical infrastructure attacks looming

Global Insights: LATAM

Regions such as Latin America and Africa will become targets of more impactful attacks, which will be relevant enough to gain coverage in media outlets around the world

To stay ahead of threats in 2019, organizations need to begin shifting from a compliance-based approach to a security-based approach